"Richard Basch via RT" writes: > When a TGT has expired but is presented to the KDC, the KDC will log > for server_principal@REALM, Ticket expired. > > Though patches have already been adopted to correct the service principal > logging (which was faulty in 1.11 & 1.12), the client principal is not > properly decoded/displayed, especially in the "expired ticket" case. This > can make diagnostics a little more challenging in some cases. I agree that omitting the client name from that error can make diagnostics challenging. I think we've known about this issue for quite some time, but haven't figured out a good way to fix it yet. I would not expect fixing this to be easy. As I recall, there would need to be changes to the error paths in rd_req_decoded_opt() to preserve some of the decrypted and decoded ticket contents, and we would consequently have to work harder to correctly manage the associated memory allocations.